THREAT
Path Traversal (Agent)
directory traversal../../../ escalationagent filesystem access
Path traversal in agentic AI occurs when an agent's filesystem-access tools are manipulated to access files and directories outside their intended scope, exposing credentials or application secrets.
ADVERSARIAL MECHANICS
An injected instruction passes a relative path with traversal sequences (../../../../etc/passwd) to a read_file tool. Encoded variants (double-encoding, Unicode normalization) are used to defeat naive string-matching defenses.
PROTOCOL CONTEXT (MCP FILESYSTEM TOOLS)
MCP's filesystem server tools are designed to be scoped to a root. However, this scoping is advisory. McpVanguard provides mandatory enforcement at the proxy layer, independent of the tool server's own validation.
ProvnAI Mitigation
McpVanguard normalizes routed path parameters before evaluation, resolving encoded characters, symlinks or junctions, and relative sequences against configured filesystem safe zones. Paths outside the declared safe root can be blocked deterministically in enforce mode.